1.2 Million CPR Numbers Of Danish Citizens Leaked Through Tax Service – Experts Reaction

By   ISBuzz Team
Writer , Information Security Buzz | Feb 11, 2020 04:17 am PST

In response to DR reports that a glitch in the TastSelv Borger tax service has sent over one million Danish CPR numbers to the US companies Google and Adobe, cybersecurity experts commented below.

Notify of
2 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
James McQuiggan
James McQuiggan , Security Awareness Advocate
February 11, 2020 12:20 pm

Whether or not Google had visibility into the CPR numbers for Danish residents, which have similar identification capabilities here in the U.S., it\’s important to monitor your accounts and tax returns. If a criminal hacker were to be in possession of a Danish CPR, they could file taxes on behalf of the person and essentially steal their tax return, similar to the types of attacks that happen in the U.S. Similarly, in the U.S., it\’s becoming strongly apparent that everyone needs to monitor all critical identifiable information about themselves to prevent fraud or identity theft. Monitoring services are available and should be used to effectively to review the activity of one\’s own social security number, social insuarnce number if you\’re in Canada or the CPR number in Denmark.

Organizations need to thoroughly test and verify all capabilities and updates when encrypting and transmitting any personal sensitive information from one entity to another to ensure that additional vulnerabilities are not created. While as consumers, there is an expectation of a certain level of protection and privacy, vigilance towards monitoring your accounts, tax returns and credit information is needed in today\’s day and age more than ever to protect yourself and your credit.

Last edited 4 years ago by James McQuiggan
Jelle Wieringa
Jelle Wieringa , Technical Evangelist
February 11, 2020 12:18 pm

There are a number of things that make a data breach like this one alarming. The CPR (the civil registration number that every Danish citizen is required to have) is valuable data for hackers, as it identifies individuals and is used to access government services. The other part is that the data was exposed for such a long time, which makes it extremely difficult to investigate how it occurred, who had access to this data and how it was potentially used.

For data to be exposed for such a long time, there has to be a serious flaw in the security processes and governance. A review of these, including vulnerability management and awareness programs, should be done to prevent this from happening again.

I assume the Danish Data Protection Agency will look into this and if the breach at Taxa 4×35 of last year is any indication, there will be heavy fines to pay.

Last edited 4 years ago by Jelle Wieringa

Recent Posts

Would love your thoughts, please comment.x